Federated authentication is a service architecture designed to improve the manageability and user experience of network application environments which operate under a many-to-many relationship between the set of users and the set of applications. The practical manifestation of a federated authentication platform, is the ability to perform Single Sign On (SSO), i.e., allowing a user log on to a plurality of network applications without requiring her to enter credentials each time she crosses the virtual boundary between different administrative domains.
A central concept in federated authentication is the clustering of various service providers (these may be embodied as individual servers, or as different applications on the same server) into a federation that relies on a common identity provider. Any authentication request from a new user is processed by the common authenticator, which issues a “ticket”. This ticket constitutes an assertion of the common authenticator on the user's identity and, in some embodiments, on the user's associated authority to access services within the federation. The ticket can be subsequently presented to different service providers within the same federation. The ticket has a limited lifetime; it may either expire automatically (after expiry of a predefined amount of time), or expire as the result of an explicit action (e.g., the user logging out from the federation, or a ticket revocation initiated by the common authenticator). Such expiration of the ticket is separate from the expiration of a logon session on a particular server, which requires the user to log on again.
Several variations of federated authentication schemes are known in the art. For example, U.S. Pat. No. 6,668,322 [U.S. Pat. No. 6,668,322 B (WOOD, DAVID ET AL] discloses an access management system and method employing secure credentials. The method includes authenticating an end user (client) by means of a login credential, and issuing cryptographically secured session credentials that may be used to obtain access to a plurality of information resources, whereby such verification does not require knowledge of the key with which the session credential was generated. This way of cryptographically securing the session credential allows for an architecture whereby a centralized authentication infrastructure issues the session credentials, but a decentralized cloud of application providers is capable of autonomously verifying these session credentials. Wood et al. also disclose according a finite lifetime to the cryptographically secured session credentials. Wood et al. further disclose issuing different cryptographically secured session credentials associated with different trust levels, which give access to different information resources, notably to provide the possibility to protect more sensitive resources with a stronger form of authentication.
US Patent Publication no. 2002/0184507A1 [US 2002184507 A (MAKOWER, DAVID ET AL.) 2002, Dec. 5] discloses a centralized single sign on method and system for a client-server environment, focusing more specifically on hypertext-transfer protocol (http) interactions, i.e. a “web single sign on” solution. In that architecture, “users authenticate themselves with any one of a group of federated servers, each federated server communicates with the central sign on server so that a user with a current session does not need to be re-authenticated by other servers in the federation”. The scheme involves http-redirection from the server application to which access is desired (the “originating server”), to a central sign on server, and back to the originating server. The first redirect instruction includes a challenge generated by the originating server. The central sign on server first looks for an indication of whether the client has already established a session, which might be signalled by the presence of an http “cookie”. If no session has been established in advance, the central sign on generates a new “cookie”, and redirects the client back to the originating server (including the originating server's challenge with the redirect instructions). The redirected client will then authenticate with the originating server, which keeps a record of the session thus established, and informs the central sign on server of this session in a secure way (using signed and encrypted communication). The session has a finite lifetime. As long as the session is valid, any subsequent requests from the same clients to access other servers in the federation will be redirected from the central sign on server to the respective originating servers, with a signature over the relevant session identification data and the originating server's challenge to confirm that a valid session has already been established with at least one federated server. Upon being informed of the setup of each subsequent session at any federated server, the central sign on server updates the expiry time of the relevant client's session. Conversely, the central sign on server may, upon a request from the client relayed by a federated server, actively terminate an existing session, and propagate this termination towards all federated servers at which local sessions are still active.
In U.S. Pat. No. 7,194,547 [U.S. Pat. No. 7,194,547 B (MOREH, JAHANSHAH ET AL.) 2007, Mar. 20], a federated authentication service is disclosed which allows clients to authenticate through a variety of authentication mechanisms. In that architecture, a protocol proxy is used to translate and relay the client's credentials to an appropriate authentication mechanism, and to generate, upon successful authentication, a “name assertion” which can be used by the client to access a server application. In the method according to Moreh et al., the client initiates the process of obtaining access to the server application by contacting an authentication agent and passing to it the relevant identity and domain of the client. The authentication agent provides information about an authentication mechanism for the client to use. The client then communicates an authentication request for access to the server application to a protocol proxy. The protocol proxy receives the authentication request from the client and translates it into the native protocol of the appropriate authentication mechanism. The protocol proxy attempts to authenticate with the authentication mechanism and, upon successful authentication, the protocol proxy receives back from the authentication mechanism a response including attributes and access rights of the client. The protocol proxy then creates a name assertion and, optionally, entitlements, which it translates into an authentication response transmitted back to the client. The expiration time of the name-assertion can be requested by the client, the server application, or the authentication mechanism. The client delivers the authentication response to the server application.
The basic advantage of a single sign on system is that a user only authenticates once. After a successful authentication to the central single sign on system, the central system will cause the user to automatically log in to other systems. After a configured amount of time since the last user activity in the session, the authentication session on the single sign on system expires and the user has to re-authenticate.
In many single sign on systems, each authentication type has an associated authentication trust level. Applications integrated with these single sign on systems will define a certain required authentication trust level. Users of such an application will need to be authenticated at the defined authentication trust level or better, before being allowed to use that application.